Which Screws Have to Tighten?

By Roberto Soriano, CISA, CRISC, CISM, ISO 27001 LA, PMP

When most organizations undertake an important process improvement effort (e.g., compliance, cyber security, governance), they typically refer to different standards and prepare a complex process to implement the improvement.

The main issue with that approach is that it refers to only one standard for the process and follows it strictly from the first page to the last. These kinds of projects are usually long in duration, expensive, require the engagement of several experts, and may require the purchase of hardware and software. These things are not cheap.

To easily integrate this kind of project into the organization, the project leader should take into account those processes that provide important value as quickly as possible for the organization (quick wins). By focusing on the quick wins, it will be less likely for stakeholders to withhold support from or question the project, and the project leader can quickly obtain support from the project sponsors.

One of the most helpful methods for the project leader is understanding the relation between business objectives and IT objectives and between IT objectives and IT processes, as described in COBIT 5. Starting with the main business objectives for the organization (no more than 3), the project leader can develop several IT objectives that can be selected by the chief information officer (CIO) (figure 1).

In figure 2, it is possible to verify that the business objective “Compliance with internal policies” is related to 4 IT goals. One of them has a secondary (S) relationship and the others are primary (P):

(P) IT compliance and support for business compliance with external laws and regulations

These IT goals should be prioritized by the CIO, chief information security officer (CISO) or IT manager. Once they have done so, they can obtain a list of processes. If the IT goals selected are the 2nd goal, IT compliance and support for business compliance with external laws and regulations, and the 15th goal, IT compliance with internal policies, then it becomes possible to obtain a list of related processes. Figure 3 shows the processes that are primary for these 2 IT goals.

Figure 3 —Processes Related to the IT Goals Selected Where at Least One of Them Is PrimarySource: ISACA, COBIT 5, USA, 2012

The project leader will select the most important processes—the processes declared as primary for the IT goals. In this case, the project leader will use 2 processes (the 2 processes that are primary for both of the selected IT goals):

APO01 Manage the IT Management Framework

MEA02 Monitor, Evaluate and Assess the System of Internal Control

Based on these 2 processes, the project leader could obtain a list of enterprise goal metrics, IT-related goal metrics, process goals and activities that contribute to the achievement of the requested business objectives.

The enterprise goal metrics are:

Number of incidents related to noncompliance to policy

Percent of stakeholders who understand policies

Percent of policies supported by effective standards and working practices

The IT-related goal metrics include:

Cost of IT noncompliance, including settlements and fines, and the impact of reputational loss

Number of IT-related noncompliance issues reported to the board or causing public comment or embarrassment

Number of noncompliance issues relating to contractual agreements with IT service providers

Coverage of compliance assessments

Number of incidents related to noncompliance to policy

Percent of stakeholders who understand policies

Percent of policies supported by effective standards and working practices

Frequency of policies review and update

The process goals include:

Percent of active policies, standards and other enablers documented and up to date

Date of last updates to the framework and enablers

Number of risk exposures due to inadequacies in the design of the control environment

Number of staff who attended training or awareness sessions

Percent of third-party suppliers who have contracts defining control requirements

Percent of processes with assured output meeting targets within tolerances

Percent of processes assured as compliant with internal control targets

Percent of assurance initiatives following approved assurance program and plan standards

Percent of processes receiving independent review

Number of weaknesses identified by external qualification and certification reports

Number of major internal control breaches

Time between internal control deficiency occurrence and reporting

And now the activities. For APO01, there are 48 activities in 8 management practices, and for MEA02, there are 44 activities in 8 management practices. The project leader could implement these activities as part of a process using COBIT and taking into consideration some parts of other standards (e.g., International Organization of Standardization [ISO] 27002, IT Infrastructure Library [ITIL], Projects in Controlled Environments [PRINCE2]). These standards could be more detailed for some parts of the project.

The project leader does not have to disregard the other processes. These processes are also important for the project leader and, certainly, these processes will help to obtain necessary information as input for the selected processes. The selected processes will help to prioritize the efforts, producing outcomes aligned with the main business objectives. With the results of the example, the project leader could be focused on IT compliance and support for business compliance with external laws and regulations, and IT compliance with internal policies to obtain enterprise compliance with internal policies. All of these are clear indicators of progress toward the intended objective.

Conclusion

With this method, the project leader could implement processes selected according to their importance to the business objectives and interrelationships between the processes. Both the board and stakeholders will notice that goals are moving toward achievement, allowing an easy relation between the parties and the project sponsorship. The organization is not thinking about implementing COBIT. Instead, the organization is focused on implementing a framework for cyber security or compliance or some other need, and it is the project leader who uses COBIT to achieve the organization’s goals.

Roberto Soriano, CISA, CRISC, CISM, ISO 27001 LA, PMP

Is a senior IT security consultant with SEIDOR with more than 15 years of experience in information systems security. Currently, he is working with several international customers in the process of improving information security based on existing risk and vulnerabilities. He has used COBIT regularly on more than 50 different projects since 2009.